16

Can anyone point me to a resource that defines the maximum allowable length of the LDAP filter string in Active Directory?

GEOCHET
  • 21,119
  • 15
  • 74
  • 98
Tomalak
  • 332,285
  • 67
  • 532
  • 628

3 Answers3

22

According to Technet: How Active Directory Searches Work, the maximum LDAP request size that the server attempts to process defaults to 10,485,760 bytes.

If the server receives a request that is larger than this value, it closes the connection. Hope that helps.

Tomalak
  • 332,285
  • 67
  • 532
  • 628
Stefan Gehrig
  • 82,642
  • 24
  • 155
  • 189
  • 10 Megs? You can send a 10 Meg LDAP query? That seems excessively large! This refers to the request. Does it refer to the response? That should controlled elsewhere with maximum returned values, time for search, etc I presume. – geoffc Feb 17 '09 at 19:32
  • 2
    This only refers to the request. Perhaps MaxQueryDuration, MaxTempTableSize and MaxDatagramRecv will also come into effect when using queries this large. The response size should be controlled by MaxPageSize and MaxResultSetSize, I think. – Stefan Gehrig Feb 18 '09 at 07:58
  • 7
    This size is real, and can kill your Active Directory. We use RSA tokens for our VPN 2-factor auth. After an update in 2012 RSA implemented a feature where it tried to log users who were not a member of certain groups (or something, I forget the specifics). Our primary VPN access group has 75k users. RSA created a filter which was essentially a "and not" concatenation of all 75k users. Needless to say that this was a very expensive query. So expensive it killed our DC. At which point the RSA service retried the query on a new DC. Wash. Rinse. Repeat. Good times! – Ryan Fisher Jun 28 '14 at 02:41
6

According to the specification in RFC1558, there is not a hard limit imposed on the length of LDAP filter strings. Different implementations might have their own limits though.

Chris Ballance
  • 33,810
  • 26
  • 104
  • 151
  • That's what I was assuming. I hoped there was some Microsoft white paper giving some hard facts, though. However, it sounds reasonable that there is no limit. – Tomalak Feb 16 '09 at 13:58
  • I'll leave the question open until tomorrow. Just in case someone comes up with a definitive link on the topic. – Tomalak Feb 16 '09 at 14:39
5

If you're using the AD Users and Groups GUI interface to contruct the query you are limited to 464 characters. If you're using dsquery from the command line you are not limited to 464 characters. I don't know the upper bounds for filter length on dsquery, but I assume it's inline with the LDAP spec.

pberry
  • 53
  • 2
  • 4
  • 2
    On my Win7x64 ADUC UI, I'm limited to 406 chars in the Find Custom Search diagog's Advanced tab's 'Enter LDAP Query' – execNext Sep 21 '11 at 14:55